An unknown hacker has breached the computer systems of three banks and a pharmaceutical company and infected most of their computers with crypto-ransomware.
The incident took place at the start of January, all companies were located in India, and the hacker(s) used the LeChiffre ransomware family to encrypt files on the infected computers.
LeChiffre is a hand-cranked ransomware
LeChiffre is not your typical ransomware and works only if launched into execution manually. The hacker managed to infiltrate the networks of all companies, and then escalated his access to other computers via unprotected Remote Desktop ports.
Once he gained access to a computer, the hacker would download the ransomware from his server and then double-click it to start the encryption process.
According to Malwarebytes, a cyber-security vendor who took a closer look at how the ransomware works, LeChiffre's encryption operates by encrypting the first and last 8192 bytes of each file and then appending the encryption key to the file as a 32-byte blob. The encryption is AES.
Malwarebytes also says the ransomware is written in Delphi, and that its interface is in Russian.
"LeChiffre looks very unprofessional [...] practically, no countermeasures against analysis has been taken," says Hasherezade, security analyst for Malwarebytes.
"It can be justified by the fact, that this ransomware was not intended to be distributed in [a] campaign, only used by attackers after they entered the system," the analyst also added. "However, poorly implemented encryption and model of communication with victims (via e-mail), shows that this malware has been prepared lazily, probably by beginners."
Read more: LeChiffre Ransomware Hits Three Indian Banks, Causes Millions in Damages
